open-nomad/website/content/docs/job-specification
grembo 7936c1e33f
Add disable_file parameter to job's vault stanza (#13343)
This complements the `env` parameter, so that the operator can author
tasks that don't share their Vault token with the workload when using 
`image` filesystem isolation. As a result, more powerful tokens can be used 
in a job definition, allowing it to use template stanzas to issue all kinds of 
secrets (database secrets, Vault tokens with very specific policies, etc.), 
without sharing that issuing power with the task itself.

This is accomplished by creating a directory called `private` within
the task's working directory, which shares many properties of
the `secrets` directory (tmpfs where possible, not accessible by
`nomad alloc fs` or Nomad's web UI), but isn't mounted into/bound to the
container.

If the `disable_file` parameter is set to `false` (its default), the Vault token
is also written to the NOMAD_SECRETS_DIR, so the default behavior is
backwards compatible. Even if the operator never changes the default,
they will still benefit from the improved behavior of Nomad never reading
the token back in from that - potentially altered - location.
2023-06-23 15:15:04 -04:00
..
hcl2 Add information about template to interpolation page (#10807) 2023-02-10 16:12:11 -05:00
affinity.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
artifact.mdx docs: update artifact jobspec sshkey example path. (#17077) 2023-05-04 14:29:36 +01:00
change_script.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
check.mdx check: Add support for Consul field tls_server_name (#17334) 2023-06-02 10:19:12 -04:00
check_restart.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
connect.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
constraint.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
csi_plugin.mdx Update csi_plugin.mdx (#16584) 2023-03-21 16:16:18 +01:00
device.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
dispatch_payload.mdx docs: dispatch_payload and jobs api docs had some weirdness (#16514) 2023-03-16 09:42:46 -07:00
env.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
ephemeral_disk.mdx docs: add documentation on ephemeral disk and logs (#15829) 2023-05-17 16:58:11 -04:00
expose.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
gateway.mdx connect: use explicit docker.io prefix in default envoy image names (#17045) 2023-05-02 09:27:48 -05:00
group.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
identity.mdx Workload Identity, Task API, and Dynamic Node Metadata Docs (#16102) 2023-02-09 16:03:43 -08:00
index.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
job.mdx node pools: add node_pool field to job spec (#17379) 2023-06-01 16:08:55 -04:00
lifecycle.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
logs.mdx docs: add documentation on ephemeral disk and logs (#15829) 2023-05-17 16:58:11 -04:00
meta.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
migrate.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
multiregion.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
network.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
parameterized.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
periodic.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
proxy.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
reschedule.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
resources.mdx node pools: apply node pool scheduler configuration (#17598) 2023-06-21 20:31:50 -04:00
restart.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
scaling.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
service.mdx docs: detail support for Nomad checks in service block. (#16598) 2023-03-22 09:27:58 +01:00
sidecar_service.mdx connect: add meta on ConsulSidecarService (#16705) 2023-03-30 16:09:28 -04:00
sidecar_task.mdx connect: use explicit docker.io prefix in default envoy image names (#17045) 2023-05-02 09:27:48 -05:00
spread.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
task.mdx Workload Identity, Task API, and Dynamic Node Metadata Docs (#16102) 2023-02-09 16:03:43 -08:00
template.mdx docs: remove unneeded brackets from job specification template docs (#17219) 2023-05-17 16:45:00 -04:00
update.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
upstreams.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00
vault.mdx Add disable_file parameter to job's vault stanza (#13343) 2023-06-23 15:15:04 -04:00
volume.mdx System and sysbatch jobs always have zero index (#16030) 2023-02-02 16:18:01 -05:00
volume_mount.mdx renamed stanza to block for consistency with other projects (#15941) 2023-01-30 15:48:43 +01:00